This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

INDICATOR-COMPROMISE Suspicious .top dns query

Hello,

I'm receiving intrusion prevention alerts "INDICATOR-COMPROMISE Suspicious .top dns query", in which the sources are internal IPs and the destinations are DNS or google IPs.

Could anyone please let me know why I receive these alerts and what I have to do to stop them?

Thank you in advance.

This thread was automatically locked due to age.

0 alan weir over 2 years ago

Is the UTM being used as a DNS forwarder that your devices are pointing to? What is the rule ID in your logs? Is Google DNS a forwarder in the UTM?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 2 years ago

I like Alan's suggestion. You might also try DNS best practice.

Cheers - Bobb

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel